WithSecure Event Collector
This Integration is part of the WithSecure Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.8.0 and later.
WithSecure event collector integration for Cortex XSIAM. This integration was integrated and tested with version 1.0 of WithSecure API
Authentication Process#
To create a Client ID and Client Secret, see this documentation.
Configure WithSecure Event Collector on Cortex XSOAR#
Navigate to Settings Configurations > Data Collection > Automations & Feed Integrations.
Search for WithSecure Event Collector.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL True Client ID Client ID and Client Secret. True Client Secret True First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) False Maximum number of events per fetch, Max 1000 False Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
with-secure-get-events#
Manual command used to fetch events and display them.
Base Command#
with-secure-get-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| fetch_from | The date to start collecting the events from. | Optional |
| limit | The maximum amount of events to return. | Optional |
Context Output#
There is no context output for this command.
Command example#
!with-secure-get-events limit=2 fetch_from="90 days"
Human Readable Output#
With Secure Events#
| action | clientTimestamp | details | device | engine | id | organization | persistenceTimestamp | serverTimestamp | severity |
|---|---|---|---|---|---|---|---|---|---|
| created | 2023-03-15T21:58:34Z | incidentPublicId: 4550314-13 fingerprint: 10e34c3d5a3b531505140351b515e5d0f563b761 initialDetectionTimestamp: 1678917621712 risk: MEDIUM categories: LATERAL_MOVEMENT incidentId: b7ffb469-44c2-4cc0-9adb-6a3663bba393 clientTimestamp: 1678917514000 resolution: UNCONFIRMED userSam: NT AUTHORITY\SYSTEM | name: WIN10-TMPLT id: 45581e9d-266c-4676-9f55-1ff36f7519f9 | edr | dae559cd-37fe-3fc8-8fb1-7098c8a4d368_0 | name: Palo Alto_comp id: b856d1ab-29c1-4803-b9b5-91ec7b24f94c | 2023-03-15T22:00:22.985Z | 2023-03-15T22:00:22.574Z | critical |
| created | 2023-03-15T14:01:29Z | incidentPublicId: 4550314-5 fingerprint: 3a653902d97ee6aa241b3e4ae18b0c01a32b97fe initialDetectionTimestamp: 1678891152183 risk: HIGH categories: SYSTEM_OR_TOOL_MISUSE incidentId: 3b519e5d-addd-440f-b2b6-d8ab5bb0f4ff clientTimestamp: 1678888889000 resolution: UNCONFIRMED userSam: A-WIN81X64-TEMP\admin | name: A-WIN81X64-TEMP id: fb939719-e4b5-4fb0-bfd9-3e7079833cec | edr | 1efd19d1-64db-3a56-b8fd-8da2cb87dc20_0 | name: Palo Alto_comp id: b856d1ab-29c1-4803-b9b5-91ec7b24f94c | 2023-03-15T14:39:15.695Z | 2023-03-15T14:39:13.022Z | critical |